I have been hit by the same problem. It seems that the masquerade rules from networkAddMasqueradingIptablesRules do not get run always.
I see the masquerade rule from bridge - tun/tap to eth0 gets created only at boot time if ever. My KVM guests don't get to network anymore. See the reproducal with output in attachements, here's the magick to trigger the bug:
sudo service iptables status
- right after boot I can see the masquerade rule
sudo service libvirtd stop
sudo service iptables stop
sudo service iptables start
sudo service libvirtd start
sudo service iptables status
-> masquerade rule is gone
I attach output for those commands along with the debug log of libvirtd and config for nat interface.
about the versions:
rpm -q kernel libvirt qemu-kvm
kernel-2.6.31.6-145.fc12.x86_64
libvirt-0.7.1-15.fc12.x86_64
qemu-kvm-0.11.0-11.fc12.x86_64
$ uname -a
Linux whipper.mobile.fp.nsn-rdnet.net 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux
And I can reproduce this also on my f12 i386 laptop. Actually I can not get network to work on either machine.

libvirt has no sane was of integrating with iptables
We previously tried using lokkit, but if the user had configured iptables
manually (i.e. without lokkit) we'd end up clobbering their rules
We simply need a way to say to iptables "we've added these rules, please load
them when you restart" without overwriting the current configuration. We also
need lokkit/system-config-firewall to not overwrite these rules when the user
modifies the configuration
The whole sorry saga is well documented in bug #227011
*** This bug has been marked as a duplicate of bug 227011 ***